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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS. 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1. 136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 
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!)□ Responsive to communication(s) filed on . 

2a)l3 This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for fonmal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11. 453 p.G. 213. 
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4) 13 Claim(s) 1 and 3-27 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) E Claim(s) 1. 3-27 is/are rejected. 
?)□ Claim(s) is/are objected to. 

&)□ Claim(s) are subject to restriction and/or election requirement. 
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10) S The drawing(s) filed on 04 August 2003 is/are: a)l3 accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet{s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
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DETAILED ACTION 

Response to Amendment 

This action is in response to the applicant's amendment dated 09/12/2006 with the following results. 
The objection to claim 14 is withdrawn due to conrection by applicant. 

Response to Arguments 

Applicant's arguments filed on 09/12/2006 have been fully considered but they are not persuasive. 
Applicant states that: 

(a) Mann fails to disclose isolating the at least one network interface from the computer network 
and taking the host computer system down to a single user state 

(b) The system of Mann detects a virus before it is received by the receiving entity and operates 
as an intrusion prevention system that isolates the receiving entity from the network to prevent the virus 
from being received at all. 

(c) Mann provides no indication that the peripheral device is adapted to take the receiving device 
down to a single user state, and. moreover, teaches away from a single user state by stating: 

A further advantage of the invention is that it isolates the data sending entity from the 
data receiving entity without disrupting normal operation of either entity. 

With respect to (a), the network described by Mann consists of two entities: a data sending entity 
and a data receiving entity. A first data channel is coupled to the data sending entity and a second data 
channel is coupled to a data receiving entity. When the first data channel is isolated from the second 
data channel, it is obvious that the two entities are isolated from each other. Because there are only two 
entities and they are isolated from each other, it is clear that both entities are in single user states. 

With respect to (b), applicant's claim states: "detecting an intrusion event using a system 
daemon; and in response to detecting the intrusion event, isolating the at least one networtc interface." 
Applicant's argument that the system of Mann detects a virus before it is received by the receiving entity 
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does not traverse the rejection. The receiving entity in Mann's system does not detect the intrusion but 
the intrusion is detected nonetheless. 

With respect to (c), Mann's system does allow for each entity to continue normal operation 
subsequent to isolation. Applicant's claim language only states that the host computer system is taken 
down to a single user state. This claim language is broad enough In the sense that single user state 
could mean that the host is virtually isolated from the rest of the network. Therefore, examiner's 
interpretation of the claim is consistent with Mann's system. Mann does not state that the network is able 
to continue normal operation. Both entities can operate normally while being isolated from each other 

Therefore, the rejections of the claims are deemed to be proper. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which fornns the basis for all obviousness rejections set 
forth in this Office adion: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-27 rejected under 35 U.S.C. 103(a) as being unpatentable over Douglas (US PGP 
20040049693) and further in view of Mann (US Patent No. 6,081,894). 

With respect to claim 1, Douglas teaches: 
A method comprising: 

providing a host computer system having at least one networi^ interface interfaced with a 
computer network; (see figure 1 A) 

operating the host computer system in a multi-user mode; (see figure 1 A) 
detecting an intrusion event using a^system daemon; (see figure 2, element 22). 
Douglas does not expressly disclose responding to the detection of the intrusion event 
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by isolating at least one network interface from the computer network and limiting 
physical access to the host computer system by taking the host computer down to a 
single user state. 
Mann teaches: 

In response to detecting the intrusion event, isolating at least one network interface from the 
computer network and taking the host computer system down to a single user state so that 
access to the host computer system is limited to physical access at the host computer system 
(column 3, lines 2-5). 

It would have been obvious at the time that the invention was made to a person of ordinary skill in the 
art to which the subject matter pertains to modify Douglas' invention so that when an intrusion is 
detected on the host system, the host can be isolated from the remote devices in order to prevent 
propagation of the intrusion. 

With respect to claims 3 and 4, the Douglas reference discloses his invention's capability of being 
implemented on UNIX platforms. The Douglas reference does not expressly disclose isolating the 
network by issuing an IFCONFIG down command or taking down the host computer system by issuing an 
INIT1 command. It was well recognized to those of ordinary skill in the pertinent arts that IFCONFIG and 
INIT1 are UNIX commands used to shut down networi^ interfaces and taking machines offline, 
respectively. Because the Douglas reference discloses UNIX, it would have been obvious to one of 
ordinary skill in the art to use the built-in IFCONFIG and INIT1 functions to shut down networic interfaces 
and take machines offline. 

With respect to claim 5. Douglas teaches: 
Reading, by the system daemon, a configuration file that indicates at least.one file in a file system of the 
host computer system to be monitored for intrusion, (see figure 2, elements 22 and 22b) 



With respect to claim 6, Douglas teaches: 



r \ 
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A directive type that indicates a file to be monitored for intrusion, (see paragraph 57, module 22b) 
A directive type that indicates a directory whose members are to be monitored for intrusion, (see figure 

13A, "/etc/passwd", system is capable of scanning user directories), and 
A directive type that indicates another configuration file to be monitored for intrusion (see figure 11 A- 

11C, myfconrigfiie.cfg, dragon.cfg). 

With respect to claim 7 and 8, Douglas teaches: 
Computing a data verification signature for a monitored file in a file system of the host computer 
system*, and comparing the data verification signature to a valid data verification signature for the 
monitored file; wherein said detecting the intrusion event comprises detecting that the data verification 
signature differs from the valid data verification signature, (see paragraphs 105 and 106) 
Douglas also teaches the above wherein the valid data verification signature comprises a 
Message Digest 5 (MD5) signature, (see paragraphs 105 and 106) 

With respect to claim 9. Douglas teaches: 
Reading the valid data verification signature for the monitored file from a database that is located on a 
second computer system isolated physically and programmatically from the host computer system, (see 
paragraph 56, lines 10-18) 

With respect to claim 10, Douglas teaches: 
Writing a log of the intmsion event to a log database that is not located on the host computer system or 
second computer system, (see paragraph 40) 

With respect to claim 11. Douglas teaches: 
Detecting an incorrect permission associated with a file in a file system of the host computer system, 
(see paragraph 94) 
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With respect to claim 12, Douglas teaches: 
Detecting an incorrect ownership associated with a file in a tile system of the host computer system, 
(see paragraphs 97 and 98) 

With respect to claim 13. Douglas teaches: 
Detecting that a file no longer exists in a file system of the host computer system, (see paragraph 96) 
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The following patents are cited to further show the state of the art with respect to intrusion 
detection systems. 

US Patent No. 7.032,114 to Moran, which is cited to show an intrusion detection system. 
US Patent No. 6.647,400 to Moran, which is cited to show an intrusion detection system that logs 
communication within a log file. 
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us PGP 2001/002531 1 to Arai et al.. which is cited to show file authorization and access control, 
US PGP 2002/0046275 to Crosbie et al. which is cited to show a system for network based 
intrusion detection and response. 

US PGP 2002/0083343 to Crosbie et al., which is cited to show a host based intrusion detection 

system. 

US PGP 2003/0126468 to Markham, which is cited to show a network wherein if a host is 
compromised, said host is isolated from the network. 

Kim. Gene H. and Spafford, Eugene H. "The Design and Implementation of Tripwire: A File 
System Integrity Checker" February 28, 1995 

Lindquidst, Ulf and Ponras. Phillip A. "eXpert-BSM: A Host-based Intrusion Detection Solution for 
Sun Solaris" December 10, 2001 

*. Any response to this Office Action should be faxed to (571) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 



Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulany Street 
Alexandria, VA 22314 

*. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner can nonnally 
be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Nasser Moazzami can be reached on 571-272-4195. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
eKher Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-21 7-91 97 (toll-free). 




Daniel L. Hoang 
9/26/06 





